Lesson 8 C Troubleshoot Workstation Security Issues Flashcards
MALWARE VECTORS
Malware is usually simply defined as software that does something bad, from the perspective of the system owner. The more detailed classification of different malware types helps to identify the likely source and impact of a security incident. Some malware classifications focus on the vector used by the malware. The vector is the method by which the malware executes on a computer and potentially spreads to other network hosts.
Types of malware according to vector:
Viruses
Boot sector viruses
Trojans
Worms
Fileless malware
Viruses
These are concealed within the code of an executable process image stored as a file on disk. In Windows, executable code has extensions such as .EXE, .MSI, .DLL, .COM, .SCR, and .JAR. When the program file is executed, the virus code is also able to execute with the same privileges as the infected process. The first viruses were explicitly created to infect other files as rapidly as possible. Modern viruses are more likely to use covert methods to take control of the host.
Boot sector viruses
These infect the boot sector code or partition table on a disk drive. When the disk is attached to a computer, the virus attempts to hijack the bootloader process to load itself into memory.
Trojans
This is malware concealed within an installer package for software that appears to be legitimate. The malware will be installed alongside the program and execute with the same privileges. It might be able to add itself to startup locations so that it always runs when the computer starts or the user signs in. This is referred to as persistence.
Worms
These replicate between processes in system memory rather than infecting an executable file stored on disk. Worms can also exploit vulnerable client/server software to spread between hosts in a network.
Fileless malware
This refers to malicious code that uses the host’s scripting environment, such as Windows PowerShell or PDF JavaScript, to create new malicious processes in memory. As it may be disguised as script instructions or a document file rather than an executable image file, this type of malware can be harder to detect.
Classifying malware by payload is a way of
identifying what type of actions the code performs other than simply replicating or persisting on a host.
Backdoors
Modern malware is usually designed to implement some type of backdoor, also referred to as a remote access Trojan (RAT). Once the malware is installed, it allows the threat actor to access the PC, upload/exfiltrate data files, and install additional malware tools. This could allow the attacker to use the computer to widen access to the rest of the network or to add it to a botnet and launch distributed denial of service (DDoS) attacks or mass-mail spam.
Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network. There are many means of implementing a covert C&C channel to evade detection and filtering. Historically, the Internet relay chat (IRC) protocol was popular. Modern methods are more likely to use command sequences embedded in HTTPS or DNS traffic.
Spyware
is malware that can perform browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks, and so on. Spyware might also be able to monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another spyware technique is to perform DNS redirection to spoofed sites.
keylogger
A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.
Keyloggers are not only implemented as software. A malicious script can transmit key presses to a third-party website. There are also hardware devices to capture key presses to a modified USB adapter inserted between the keyboard and the port.
Rootkits
In Windows, malware can only be manually installed with local administrator privileges. This means the user must be confident enough in the installer package to enter the credentials or accept the User Account Control (UAC) prompt. Additionally, Windows tries to protect the OS files from abuse of administrator privileges. Critical processes run with a higher level of privilege (SYSTEM). Consequently, Trojans installed in the same way as regular software cannot conceal their presence entirely and will show up as a running process or service. Often the process image name is configured to be similar to a genuine executable or library to avoid detection. For example, a Trojan may use the filename “run32d11” to masquerade as “run32dll”. To ensure persistence, the Trojan may have to use a registry entry or create itself as a service. All these techniques are relatively easy to detect and remediate.
If the malware can be delivered as the payload for an exploit of a severe vulnerability, it may be able to execute without requiring any authorization using SYSTEM privileges. Alternatively, the malware may be able to use an exploit to escalate privileges after installation. Malware running with this level of privilege is referred to as a rootkit . The term derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file system down.
In theory, there is nothing about the system that a rootkit could not change. In practice, Windows uses other mechanisms to prevent misuse of kernel processes, such as code signing (microsoft.com/security/blog/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard). Consequently, what a rootkit can do depends largely on adversary capability and level of effort. When dealing with a rootkit, you should be aware that there is the possibility that it can compromise system files and programming interfaces so that local shell processes, such as Explorer or Task Manager on Windows, ps or top on Linux, and port-listening tools ( netstat, for example), no longer reveal their presence (when run from the infected machine, that is). A rootkit may also contain tools for cleaning system logs, further concealing its presence.
Ransomware
is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism. This may apparently block access to the file system by installing a different shell program, but this sort of attack is usually relatively simple to fix.
Crypto-ransomware attempts to encrypt files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate unless the user has up-to-date backups. One example of crypto-ransomware is Cryptolocker, a Trojan that searches for files to encrypt and then prompts the victim to pay a sum of money before a certain countdown time, after which the malware destroys the key that allows the decryption.
Ransomware uses payment methods such as wire transfer, cryptocurrency, or premium-rate phone lines to allow the attacker to extort money without revealing his or her identity or being traced by local law enforcement.
cryptominer
A cryptominer hijacks the resources of the host to perform cryptocurrency mining. This is also referred to as cryptojacking. Commonly, such as Bitcoin, the total number of coins within a cryptocurrency is limited by the difficulty of performing the blockchain calculations necessary to generate a new digital coin. Consequently, new coins can be very valuable, but it takes enormous computing resources to achieve them. Cryptomining is often performed across botnets.
The multiple classifications for malware vectors and payloads mean
that there can be very many different symptoms of security issues. In very general terms, any sort of activity or configuration change that was not initiated by the user is a good reason to suspect malware infection.
Performance Symptoms
When the computer is slow or “behaving oddly,” one of the things you should suspect is malware infection. Some specific symptoms associated with malware include:
- The computer fails to boot or experiences lockups.
- Performance at startup or in general is very slow.
- The host cannot access the network and/or Internet access or network performance is slow.
The problem here is that performance issues could have a wide variety of other causes. If you identify these symptoms, run an antivirus scan. If this is negative but you cannot diagnose another cause, consider quarantining the system or at least putting it under close monitoring.
Application Crashes and Service Problems
One of the key indicators of malware infection is that security-related applications, such as antivirus, firewall, and Windows Update, stop working. You might notice that OS updates and virus definition updates fail. You might also notice that applications or Windows tools (Task Manager, for instance) stop working or crash frequently.
Software other than Windows is often equally attractive for malware writers as not all companies are diligent in terms of secure coding. Software that uses browser plug-ins is often targeted; examples include Adobe’s Reader software for PDFs and Flash Player. If software from a reputable vendor starts crashing (faulting) repeatedly, suspect malware infection and apply quarantining/monitoring procedures.
File System Errors and Anomalies
Another marker for malware infection is changes to system files and/or file permissions. Symptoms of security issues in the file system include the following:
- Missing or renamed files.
- Additional executable files with names similar to those of authentic system files and utilities, such as scvhost.exe or ta5kmgr.exe.
- Altered system files or personal files with date stamps and file sizes that are different from known-good versions.
- Files with changed permissions attributes, resulting in “Access Denied” errors.
These sorts of issues are less likely to have other causes so you should quarantine the system and investigate it closely.
Desktop Alerts and Notifications
While there are some critical exploits that allow malicious code to execute without authorization, to infect a fully patched host malware usually requires the user to explicitly install the product and confirm the UAC consent prompt. However, the malware may be able to generate something that looks like a Windows notification without being fully installed. One technique is to misuse the push notification system that allows a website to send messages to a device or app. The notification will be designed to trick or frighten the user into installing the malware by displaying a fake virus alert, for example. A notification may also link to a site that has a high chance of performing a drive-by download on an unpatched host.
Rogue antivirus
is a particularly popular way to disguise a Trojan. In the early versions of this attack, a website would display a pop-up disguised as a normal Windows dialog box with a fake security alert, warning the user that viruses have been detected. As browsers and security software have moved to block this vector, cold-calling vulnerable users, then claiming to represent Microsoft support or the user’s ISP and asking them to enable a remote desktop tool has become a popular attack.
Malware often targets
the web browser. Common symptoms of infection by spyware or adware are random or frequent pop-ups, installation of additional toolbars, a sudden change of home page or search provider, searches returning results that are different from other computers, slow performance, and excessive crashing. Viruses and Trojans may spawn pop-ups without the user opening the browser.
Redirection
Redirection is where the user tries to open one page but gets sent to another. Often this may imitate the target page. In adware, this is just a blunt means of driving traffic through a site, but spyware may exploit it to capture authentication details.
Redirection may occur when entering URL web addresses manually or when performing searches. If a user experiences redirection, check the HOSTS file for malicious entries. HOSTS is a legacy means of mapping domain names to IP addresses and is a popular target for malware. Also verify which DNS servers the client is configured to use. Compare the search results returned by a suspect machine with those from a known-good workstation.
Certificate Warnings
When you browse a site using a certificate, the browser displays the information about the certificate in the address bar. If the certificate is untrusted or otherwise invalid, the padlock icon is replaced by an alert icon, the URL is displayed with strikethrough formatting, and the site content is likely to be blocked by a warning message.
causes of certificate warnings:
most common are:
- The certificate is self-signed or issued by a CA that is not trusted.
- The FQDN requested by the browser is different from the subject name listed in the certificate.
- The certificate has expired or is listed as revoked.
Each of these warnings could either indicate that the site is misconfigured or that some malware on the computer is attempting to redirect the browser to a spoofed page. Analyze the certificate information and the URL to determine the likely cause.
